5 Takeaways From an Amazon Phish

Today, we saw a phish posted by Lance Spitzner, a board member of the National Cyber Security Alliance.

This phishing email was interesting, as Lance noted, because there was no attachment and it contained no malicious links. It looked like a perfectly legitimate email from Amazon, and every domain used in the message body and its headers was a legit Amazon email. In fact, the only thing amiss with the message was the phone number, which was really a tech support scam.

This shows just how devious and hard to detect phishing emails can be. While this kind of phish doesn’t often get media coverage (possibly because it’s so rarely detected), we know that it accounts for the majority of email attacks.

1: Same-domain impersonation is ridiculously easy.

Same-domain impersonation, also known as direct spoofing or reply-to spoofing, is a type of attack in which scammers put the actual domain of the company they’re impersonating into the From fields of their phish.

That’s why this kind of impersonation accounts for 40-60 percent of business email compromise attacks, according to Proofpoint. In another study, GreatHorn found that it accounted for 37.5 percent of all inbound email threats, more than any other category. Meanwhile, in our analysis of almost 3 billion messages sent during the month of October, 2017, Valimail found that about 1 in 5 came from an unauthorized sender — i.e., were likely fraudulent.

2: Phishing emails are undetectable by spam filters.

Spam filters operate by looking for anomalies, such as text like “VIAGRA” in all caps, which you are highly unlikely to find in any legitimate email messages.

These filters have been pretty effective at keeping Viagra ads and Nigerian princes out of our inboxes, but they don’t work well on phishing emails. In fact, they don’t work at all.

That’s because the ideal phish is almost 100% identical to a legitimate message from the company fraudsters are trying to impersonate. There’s just one tiny change: Maybe a different URL in one of the links, or maybe a different phone number. That’s it.

Anti-phishing training often tells people to look for typos or odd spellings that might give away that a phish is illegitimate. That works, if the phishers are not very skilled. Talented phishers, like the ones who created this message, can craft messages that are totally indistinguishable from the real thing.

3: Phishers use legitimate company domains to increase credibility.

As Lance noted, there are no suspicious URLs in this message. All the domains used are legitimate domains owned by Amazon. You can even verify the ownership of the amazonsupport.com domain that the message appears to come from. Yep — it’s owned by Amazon all right.

Using legitimate domains helps enhance the credibility of the message. Anyone who clicked on the links would be taken to an actual Amazon website. That’s exactly what the scammers want, in this case, because their goal is to get the recipient to call the phone number.

4: Even if you have some degree of authentication, you may still be vulnerable.

Amazonsupport.com has an SPF record configured, and it’s in order. Many companies advise you to set up SPF for your domains as a way of increasing email deliverability as well as protecting yourself against fraud.

However, SPF alone is useless for fraud protection, as you can see in this case. That’s because there’s nothing stopping a scammer from using an SPF-protected domain in the From field of their message. SPF only applies to the Return-Path header, which most people will never see.

The only way to keep scammers from using your domain in the From field is to add a DMARC record and set it to an enforcement policy (p=reject or p=quarantine).

5: It’s critical to lock down all of your domains with DMARC.

Amazon.com, the company’s main domain, is protected by both SPF and DMARC. (You can verify that with our domain checker.) Both are correctly configured and the DMARC policy is set to enforcement, so Amazon is protected from scammers trying to use their main domain in their messages.

About Valimail:
Valimail is an anti-phishing company that has been driving the global trustworthiness of digital communications since 2016, with the only comprehensive platform for stopping fake email, protecting brands, and helping ensure compliance. Valimail has won multiple cybersecurity technology awards and authenticates billions of messages a month for some of the world's biggest companies, including Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development. Valimail is based in San Francisco. For more information visit www.Valimail.com.

We use cookies to improve your experience on our site. By continuing to use this site or by using our services you are giving us your consent to do this. You can read more about our cookie policy here.